<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>OpenSSH Features</title>
<link rev=made href="mailto:www@openbsd.org">
<meta name="resource-type" content="document">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="OpenSSH Features">
<meta name="keywords" content="OpenSSH,features">
<meta name="distribution" content="global">
<meta name="copyright" content="This document copyright 1996-2005 by OpenBSD.">
</head>

<body bgcolor="#ffffff" text="#000000" link="#23238E">
<a href="index.html"><img alt="[OpenSSH]" height="30" width="141" src="images/smalltitle.gif" border="0"></a>
<p>
<h2><font color="#e00000">Features</font></h2>
<hr>

OpenSSH is a free SSH/SecSH protocol suite providing encryption for
network services like remote login or remote file transfer.
<p>
The following is a list of OpenSSH features:
<p>

<ul>
<li>Open Source Project
<li>Free Licensing
<li>Strong Encryption (3DES, Blowfish, AES, Arcfour)
<li>X11 Forwarding (encrypt X Window System traffic)
<li>Port Forwarding (encrypted channels for legacy protocols)
<li>Strong Authentication (Public Key,  One-Time Password and Kerberos Authentication)
<li>Agent Forwarding (Single-Sign-On)
<li>Interoperability (Compliance with SSH 1.3, 1.5, and 2.0 protocol Standards)
<li>SFTP client and server support in both SSH1 and SSH2 protocols.
<li>Kerberos and AFS Ticket Passing
<li>Data Compression
</ul>
<p>

<hr>

&nbsp;<strong>Open Source Project</strong>
<p>
The OpenSSH source code is available free to everyone via the Internet.
This encourages code reuse and code auditing.
Code review ensures the bugs can be found and corrected by anyone.  This
results in secure code.
<p>

&nbsp;<strong>Free Licensing</strong>
<p>
OpenSSH is not covered by any restrictive license. It can be used for any
and all purposes, and that explicitly includes commercial use.
<a href="http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD">
The license</a> for OpenSSH is included in the distribution.
We feel that the world would be better if routers, network appliances,
operating systems, and all other network devices had ssh integrated into
them.
<p>

All components of a restrictive
nature (i.e. patents,
see <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ssl&amp;sektion=8">ssl</a>)
have been removed from the source code;
any licensed or patented components are chosen from external libraries
(e.g. <a href="http://www.openssl.org">OpenSSL</a>).

The IDEA symmetric cipher is no longer available, since it is patented in
many countries.  Instead, we recommend people use any of the other ciphers
available.  (We see no justification for using a patented symmetric cipher,
since there are many free ones).
<p>

&nbsp;<strong>Strong Encryption</strong>

<p>
OpenSSH supports 3DES, Blowfish, AES and arcfour as encryption algorithms.
These are patent free.<br>
<b>Triple DES</b> is a time proven and well understood cipher
that provides strong encryption.<br>
<b>Blowfish</b> is a fast block cipher invented by Bruce Schneier that
can be used by people that require faster encryption.<br>
<b><a href="http://www.nist.gov/aes">AES</a></b> is the US Federal
Information Processing Standard (FIPS) Advanced Encryption Standard
developed as a replacement for DES.  It is a fast block cipher.<br>
<b>Arcfour</b> is a fast stream cipher.  It is believed to be compatible
with RC4[TM], a proprietary cipher of RSA Security Inc.

<p>
Encryption is started before authentication, and
no passwords or other information is transmitted in the clear.
Encryption is also used to protect against spoofed packets.

<p>
&nbsp;<strong>X11 Forwarding</strong>
<p>
X11 forwarding allows the encryption of remote X windows traffic, so
that nobody can snoop on your remote xterms or insert malicious
commands.  The program automatically sets DISPLAY on the server
machine, and forwards any X11 connections over the secure channel.
Fake Xauthority information is automatically generated and forwarded
to the remote machine; the local client automatically examines
incoming X11 connections and replaces the fake authorization data with
the real data (never telling the remote machine the real information).
<p>
&nbsp;<strong>Port Forwarding</strong>
<p>
Port forwarding allows forwarding of TCP/IP connections to a remote
machine over an encrypted channel.  Standard Internet applications
like POP can be secured with this.
<p>
&nbsp;<strong>Strong Authentication</strong>
<p>
Strong authentication protects against several security problems, e.g.,
IP spoofing, fakes routes, and DNS spoofing.  The authentication
methods are: .rhosts together with RSA based host authentication, 
pure RSA authentication, one-time passwords with s/key, and finally authentication
using <a href="http://www.openbsd.org/cgi-bin/man.cgi?query=kerberos&amp;sektion=8">Kerberos</a>.
<p>
&nbsp;<strong>Agent Forwarding</strong>
<p>
An authentication agent, running in the user's laptop or local
workstation, can be used to hold the user's RSA or DSA authentication 
keys. OpenSSH automatically forwards the connection to the 
authentication agent over any connections, and there is no need to 
store the RSA or DSA authentication keys on any machine in the network 
(except the user's own local machine).  The authentication protocols 
never reveal the keys; they can only be used to verify that the 
user's agent has a certain key.  Eventually the agent could rely on a 
smart card to perform all authentication computations.
<p>
&nbsp;<strong>Interoperability</strong>
<p>
OpenSSH versions before 2.0 support the SSH 1.3 and SSH 1.5 protocols
permitting communication with most UNIX, Windows and other commercial
ssh implementations.
<p>
As of OpenSSH 2.0, as well as supporting SSH 1.3 protocol and SSH 1.5
protocol, OpenSSH also has support for the SSH 2.0 protocol.  This protocol
avoids using the RSA algorithm -- since at the time protocol 2.0 was
invented the RSA patent was still in effect -- and uses the freely useable
DH and DSA algorithms instead.
<p>
Thus, OpenSSH gives you the best of both worlds.  You can interoperate with
<strong>both</strong> types of ssh clients and servers!
<p>
&nbsp;<strong>SFTP client and server support in both SSH1 and SSH2 protocols</strong>
<p>
As of OpenSSH 2.5.0, complete SFTP support is included, using the
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp&amp;sektion=1">sftp(1)</a>
command as a client.  The
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=sftp-server&amp;sektion=8">
sftp-server(8)</a>
subsystem automatically works in both SSH1 and SSH2 protocol.
<p>
&nbsp;<strong>Kerberos and AFS Ticket Passing</strong>
<p>
OpenSSH also passes tickets for Kerberos and AFS on to the remote
machine.  A user can thus access all his Kerberos and AFS services
without the need to type in a password again.
<p>
&nbsp;<strong>Data Compression</strong>
<p>
Data compression before encryption improves the performance
for slow network links.
<p>
<hr>
<a href="index.html"><img height=24 width=24 src="back.gif" border=0 alt=OpenSSH></a> 
<a href="mailto:www@openbsd.org">www@openbsd.org</a>
<br><small>$OpenBSD: features.html,v 1.23 2005/07/14 04:25:32 dtucker Exp $</small>

</body>
</html>
